Date: Wed, 29 Jan 2020 04:04:34 -0800 From: David Wolfskill <david@catwhisker.org> To: Gordon Bergling <gbergling@googlemail.com>, Wojciech Puchar <wojtek@puchar.net> Cc: freebsd-hackers@freebsd.org Subject: Re: More secure permissions for /root and /etc/sysctl.conf Message-ID: <20200129120434.GM1270@albert.catwhisker.org> In-Reply-To: <alpine.BSF.2.20.2001291241100.48526@puchar.net> <20200129092631.GA22505@lion.0xfce3.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--cwsYEqkeH/7hgYPp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 29, 2020 at 10:26:31AM +0100, Gordon Bergling via freebsd-hacke= rs wrote: > Hi, >=20 > I recently stumbled upon the default world readable permissons of /root a= nd=20 > /etc/sysctl.conf. I think that it would be more secure to reduce the defa= ult > permission for /root to 0700 and to 0600 for /etc/sysctl.conf. >=20 > I prepared a differtial for the proposed change: > https://reviews.freebsd.org/D23392 >=20 > What do you think? >=20 > Best regards, >=20 > Gordon > ... On Wed, Jan 29, 2020 at 12:41:30PM +0100, Wojciech Puchar wrote: > ... > fully agree. i do it manually every time i build new system to create > tarfiles > .... For counterpoint, as well as a reminder of the "tools, not policy" catchphrase, I disagree, as I believe that doing so would increase the frequency of a need to escalate privilege merely to read (e.g.) configuration information that is not particularly "secret." For example, I have encountered systems where the administrator had /etc/rc.conf not-world-readable; I was needing to obtain root privilege way too often just to read the file... thus, for merely testing a new rc.d script (in a mode where it would merely report what it would have otherwise done). I submit that this does rather the opposite of "enhancing" security. I have no objection to providing a knob to adjust such a thing for a local configuration, and folks who want it can select it, while those who don't, need not do so. Peace, david --=20 David H. Wolfskill david@catwhisker.org "Now, with me, there's no lying." -- Donald J. Trump ["??!?" -- me] See http://www.catwhisker.org/~david/publickey.gpg for my public key. --cwsYEqkeH/7hgYPp Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAEBCgB9FiEE4owz2QxMJyaxAefyQLJg+bY2PckFAl4xdNJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUy OEMzM0Q5MEM0QzI3MjZCMTAxRTdGMjQwQjI2MEY5QjYzNjNEQzkACgkQQLJg+bY2 Pcmlywf/Ric2wMLSw6DOUd1vFBjnTSpsputOATqvmyadX4wT01vrgfj/nuNr0pLW eTNSOmazjs7rtlVDCWupwaKxstWhqN4jYtaH5Qj03EHAB6IMUjJK+7dxHsB/krfA Do516WjfBsbTcnnzhMIdkyllYi09ASDIVdcT8BLyUaFnE25AdM4Xr1erSABeXjRj 7xwA/h7tDnfRLGF17fl5vEeXdS3/FdMokxY5DBfQcKgBxu6kDPyIDcmaaDSGYSWu RJHN4PSfKIQ3N1zupJBoN/zAIFzx1Mwg/tcnUE69PcIkPZAPHxEjWIbCIun+Hw5M yvOJpRZpY9SbXCVywtxF6dXfVl6Itg== =qPRS -----END PGP SIGNATURE----- --cwsYEqkeH/7hgYPp--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200129120434.GM1270>